Whose Narrative is it Anyway? A KV Cache Manipulation Attack
This work addresses a security problem for users and developers of LLMs by exposing a novel attack vector, though it is incremental in focusing on cache manipulation rather than broader model security.
The paper tackles the security vulnerability of the KV cache in autoregressive LLMs by introducing a 'History Swapping' attack that manipulates the cache to steer model generation without altering prompts, finding that only full-layer overwrites can hijack conversation topics across 324 configurations on Qwen 3 models.
The Key Value(KV) cache is an important component for efficient inference in autoregressive Large Language Models (LLMs), but its role as a representation of the model's internal state makes it a potential target for integrity attacks. This paper introduces "History Swapping," a novel block-level attack that manipulates the KV cache to steer model generation without altering the user-facing prompt. The attack involves overwriting a contiguous segment of the active generation's cache with a precomputed cache from a different topic. We empirically evaluate this method across 324 configurations on the Qwen 3 family of models, analyzing the impact of timing, magnitude, and layer depth of the cache overwrite. Our findings reveal that only full-layer overwrites can successfully hijack the conversation's topic, leading to three distinct behaviors: immediate and persistent topic shift, partial recovery, or a delayed hijack. Furthermore, we observe that high-level structural plans are encoded early in the generation process and local discourse structure is maintained by the final layers of the model. This work demonstrates that the KV cache is a significant vector for security analysis, as it encodes not just context but also topic trajectory and structural planning, making it a powerful interface for manipulating model behavior.